Palo Alto Networks Knowledgebase: Tips & Tricks: Forward traffic logs to a syslog server

Tips & Tricks: Forward traffic logs to a syslog server

26985
Created On 02/07/19 23:51 PM - Last Updated 02/07/19 23:52 PM
Resolution

Need to forward traffic logs from the Palo Alto Networks firewall to a syslog server? For reporting, legal, or practical storage reasons, you may need to get these logs off the firewall onto a syslog server. Follow our step-by-step instructions for success. Forwarding traffic logs to a syslog server involves four major steps:

 

  • Create a syslog server profile.
  • Create a log forwarding profile.
  • Use the log forwarding profile in your security policy.
  • Commit the changes.

Step 1. Create a syslog server profile

1. Go to Device > Server Profiles > Syslog

 

syslog_server_profile.png


2. Name : Enter a name for the syslog profile (up to 31 characters). The name is case-sensitive and must be unique.
    Use only letters, numbers, spaces, hyphens, and underscores.

3. Name : Click Add and enter a name for the syslog server (up to 31 characters). The name is case-sensitive and
    must be unique. Use only letters, numbers, spaces, hyphens, and underscores.

 

  • Syslog Server: Enter the IP address of the syslog server.
  • Transport: Select whether to transport the syslog messages over UDP, TCP, or SSL.
  • Port: Enter the port number of the syslog server (the standard port for UDP is 514; the standard port for SSL is 6514; for TCP you must specify a port number).
  • Format: Specify the syslog format to use: BSD (the default) or IETF.
  • Facility: Select one of the Syslog standard values. Select the value that maps to how your Syslog server uses the facility field to manage messages. For details on the facility field, see RFC 3164 (BSD format) or RFC 5424 (IETF format).

syslog_server_profile_2.png

 

Your syslog server profile will now be created, as shown in the example below:

 

syslog_server_profile_3.png

 

To facilitate the integration with external log parsing systems, the firewall allows you to customize the log format; it also allows you to add custom Key: Value attribute pairs.  Custom formats can be configured under

Device > Server Profiles > Syslog > Syslog Server Profile > Custom Log Format:

 

custom_log_format.png

 

To achieve ArcSight Common Event Format (CEF) compliant log formatting, refer to the CEF Configuration Guides.

 

Step 2. Create a log forwarding profile

Go to Objects > Log forwarding. Click Add.

 

log_forwarding_profile.png

 

 

 

  1. Name: Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
  2. Syslog: Select the syslog server profile to specify additional destinations where the traffic log entries are sent.
  3. Click 'OK' to confirm your configuration.

log_forwarding_profile_2.png

 

 

Your Log Forwarding Profile is now created, as shown in the following example:

 

log_forwarding_profile_3.png

 

Step 3. Use the log forwarding profile in your security policy

 

Go to Policies > Security

 

security_policy.png

 

Select the rule for which the log forwarding needs to be applied (Any Allow) in the following example:

 

security_policy_2.png

 

 

 

Next, go to the Actions tab, select Log Forwarding Profile from the dropdown, and click OK when you are happy with your configuration:

 

security_policy_rule.png

 

After clicking OK, you will notice the forwarding icon in the 'Options' column of your security rule:

 

security_rule_options.png

 

Step 4. Don't forget to commit your changes when you're finished.

 

Cheers!

-Kim

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRxCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language